[arch-general] pacman 4.0.0 signing

Sander Jansen s.jansen at gmail.com
Thu Oct 13 23:27:06 EDT 2011

After upgrading to the new pacman 4.0, the system update following
fails due a lot of untrusted signatures (unknown trust error).

I'm guessing we need to verify we really trust these signatures. I've
found this guide regarding validating gpg keys:
http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume
this will be a lot similar, except using the pacman-key frontend to do
the verification.

So let me step through and see if understand correctly:

All the developers keys seem to be published here:
http://www.archlinux.org/developers/ and

So to trust Andrea Scarpino's key I would get the pgp key from the
above webpage (PGP Key:	0xD30DB0AD) and finger it:

pacman-key --finger 0xD30DB0AD

then compare the finger print with the one thats linked to his profile:


It seems to match, so there is a good chance it's the real deal, so
now I can locally sign it:

pacman-key --lsign-key 0xD30DB0AD

Correct? In examples of the article also marks the key as trusted.
Would that be a good idea?

We have to do this for each and every Arch developer I guess? Is there
a faster way?


More information about the arch-general mailing list